Symptom
When running an on-premises agent connector, you encounter the following error:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
What's going on
The Datalink service was unable to establish root certificate authority (CA) for the specified certificate from the Java KeyStore (.jks file). The current version of Datalink uses unique .jks files as keystores:
- The manager's .jks file contains the private and public portions of the company standard *.apptio.com certificate.
- The agent's .jks contains the public portions of certificates and contains all standard CA Certifications, which are typically trusted certificate authorities such as GeoTrust and VeriSign.
Solution
There are three main troubleshooting steps for this issue, listed below in order of increasing technical complexity. Please check whether the issue is resolved after completing each section to avoid unnecessary modifications to your Datalink.
Verify your certificates
Verify that Datalink is looking at the correct trust stores for the necessary certificates, including the Apptio key store, the system's main trust store, and all custom paths that look for a trust store on disk.
Additionally verify that your certificates are issued from Apptio.
- Navigate to your Datalink instance. On the login screen, open the Developer Tools.
- In the Security tab, select View certificate.
- Check that Issued to = *.apptio.com
If you are connecting to source of data that requires certification to be accepted from another source, like a REST connector source server asking the client to accept an untrusted certificate, obtain that certificate and add it to agent.jks key store. See examples on importing certs in the Install certificates to dlagent.jks section below.
Whitelist Apptio traffic
Whitelist all incoming and outgoing traffic from *.apptio.com, which will allow the default certificate to be presented by the manager to the agent.
Install certificates to dlagent.jks
If the required certificate is missing, you can install certificates directly into the dlagent.jks file, found in the Datalink installation directory. Technical instructions to install certificates can be found in Oracle's documentation.
Please contact Apptio Support to obtain the keystore passwords required for this step.
Official software updates for your on-premises agent will overwrite the dlagent.jks file, removing your changes.
To avoid repeating this solution after every software update, make a backup copy of your dlagent.jks file after completing this step. After the update installation is complete, you can replace the newly updated dlagent.jks file with your backup version.
NOTE: For more information, please see the following articles: